CVE-2024-48990 PoC — needrestart 安全漏洞

Source

https://github.com/Cyb3rFr0g/CVE-2024-48990-PoC

Associated Vulnerability

Title:needrestart 安全漏洞 (CVE-2024-48990)
Description:needrestart是liske个人开发者的一款用于检查升级后需要重新启动哪些守护进程的工具。 needrestart 3.8之前版本存在安全漏洞，该漏洞源于允许本地攻击者通过诱骗needrestart使用攻击者控制的PYTHONPATH环境变量运行Python解释器，并以root身份执行任意代码。

Description

My take on the needrestart Python CVE-2024-48990

Readme

This simple shell script should create all the required file for this vulnerability to work.

First it creates a randomly generated temporary file that will be used to compile the fake \_\_init\_\_.so file
When the vulnerability is triggered. This file will execute and copy the bash binary to /tmp/ribbit and set the SUID bit.
Next It creates the importlib directory in the current working directory
It then compiles the temporary file created into \_\_init\_\_.so and puts it into the newly created directory
Lastly it creates another randomly named temporary python file that sleeps and waits for the vulnerability to trigger. Once triggered it will execute the SUID set bash binary resulting in a root shell.

Once the python script is started. needrestart needs to execute with root permissions. This is typically done when apt-get is used.

File Snapshot


 [4.0K]  /data/pocs/8f26c792573718b08e95557929e4c1ae7f406a03
├── [1.6K]  privesc.sh
└── [ 846]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!